No idea about Belkasoft being best or if there are other (better) software.
About servers I would hope that they are dimensioned (and their software configured) in such a way that use of the pagefile is at a minimum.
But it doesn't change the result, both if the pagefile is not used or if it is used a lot, chances of finding the specific info you are looking for are very low, it becomes a sort of  birthday paradox in the "same birthday as you" special case:
https://en.wikipedia.org/wiki/Birthday_problem#Same_birthday_as_you
jaclaz
Thanks for all the info lad. I came in asking whether a pagefile.sys was a good way to find evidence of chat rooms/forums to which I got an answer practically no, Belkasoft say they don't no do not extract "texts" like that from browsers at all. But you've taught me a lot more that I initially came in looking for thank you
Thanks for the reply. Is there a general timeframe for much longer? If some artefacts are lost after two reboots would you expect to find artefacts that last longer than a month or a year or is there no timeframe at all? If pagefile.sys is the last place you look what's the first?
At first, please make yourself clear what pagefile.sys is and where it comes from. "Once upon a time"...I bought 64 MB of RAM for my Intel 386 and paid round about 200 DM (Deutsche Mark - this currency does not even exist any longer) for it. So everyone was happy that you could extend your memory to the much cheaper hard drive into a pagefile, but the hard drive access was much much slower. And every time you played "Doom" at this time, the Windows OS swapped some memory content from the physical memory to the hard drive and back, when needed. This is how fragments of memory content can get into a pagefile. And if you do not need a lot of memory again, some fragments will survive longer. Other fragments of memory will stay there only for minutes, until an application needs much more memory than available and overwrites old memory content with new memory content. This makes pagefile.sys somehow valuable for a digital forensic investigation, but unreliable at the same time. Today, modern system have plenty of memory and do not use the pagefile since they have plenty of fast memory. Some system admins reduce it to the minimum size of IIRC 16MB to prevent swapping at all.
Better artifacts? Depends on the case, the affected operating system and what the story of the incident is. Believe it or not, sometimes you cannot miss the evidence when having a look into the windows event log files. If you want to look for execution artifacts, amcache, prefetch and shimcache usually do the job. And there a much more locations to look for... hire a professional if you need one.
Â
regards,
Robin
At first, please make yourself clear what pagefile.sys is and where it comes from. "Once upon a time"...I bought 64 MB of RAM for my Intel 386 and paid round about 200 DM (Deutsche Mark - this currency does not even exist any longer) for it. So everyone was happy that you could extend your memory to the much cheaper hard drive into a pagefile, but the hard drive access was much much slower. And every time you played "Doom" at this time, the Windows OS swapped some memory content from the physical memory to the hard drive and back, when needed. This is how fragments of memory content can get into a pagefile. And if you do not need a lot of memory again, some fragments will survive longer. Other fragments of memory will stay there only for minutes, until an application needs much more memory than available and overwrites old memory content with new memory content. This makes pagefile.sys somehow valuable for a digital forensic investigation, but unreliable at the same time. Today, modern system have plenty of memory and do not use the pagefile since they have plenty of fast memory. Some system admins reduce it to the minimum size of IIRC 16MB to prevent swapping at all.
Better artifacts? Depends on the case, the affected operating system and what the story of the incident is. Believe it or not, sometimes you cannot miss the evidence when having a look into the windows event log files. If you want to look for execution artifacts, amcache, prefetch and shimcache usually do the job. And there a much more locations to look for... hire a professional if you need one.
Â
regards,
Robin
Thanks for the response, I came in asking whether a pagefile.sys was a good way to find evidence of chat rooms/forums to which I got an answer practically no, Belkasoft say they don't no do not extract "texts" like that from browsers at all. But another user explained more what the pagefile.sys was and why my original question was unlikely, I feel I've a much better grasp on it.
Â
Â
Sorry to bother you again, I've decided to use the use computer forensics as the basis for my criminal law end of year paper. It will mostly focus around temporary files. I want to use my original uneducated question of whether the pagefile.sys can be used to read the text forum posts or chat logs as a small section of the paper under limitations. We've established that it is possible if extremely unlikely. I contacted both belksoft and magnet axiom (who from what I can tell would be the main software in terms of pagefile analysis) and both said their software wouldn't looked for that kind of artefact. Do you know of any other software that might? Just so I can compressively say that it is such a long shot that most computer software for forensics doesn't even consider looking for it.
Â
The pagefile.sys is a semi-random sequence of (ex-memory)"pages", i.e. a semi-random sequence of 4 KB "blocks".
As such it is not in any way (apart the order of the sequence of these blocks) different from "RAW" data, i.e. it can be carved exactly like *any* RAW data, only as an example it is not in any way different from carving (fragmented) unallocated data on a disk for text.
*like*:
https://www.forensicfocus.com/forums/forensic-software/carving-software-for-txt-files/
Since texts (text files) are headerless and footerless (and have no particular "signature") there is no "known format" to look for, so the carving has to be based on contents, basically it is "string extraction", and an hypothetical attribution to this (or that) program can only be indirect and based on content and context.
jaclaz
Â
Â
As you want to create a comprehensive list of software you have considered for your law thesis what about RawCopy, The Volatility Framework, Redline Collector, Rekall Project, DiskInternals Linux Reader 4.6.1 etc and whether these tools should be discounted, too?
Jaclaz has identified for you a number of helpful avenues for your research. But there are quite a few digital forensics papers written on the subject of pagefile.sys recovery out there, if you are unaware?
You may wish to speak with someone from SANS about their FOR500.1/2 course. Not to undertake their course but to get their current viewpoint on Pagefile.Sys recovery. Makes good reading copy (no pun intended), if nothing else, to get a trainers viewpoint as opposed to a tool providers viewpoint?
You may also want to seek clarification on the difference between Stream Carving compared to File Carving?
Â
Â
Â
Â
Â
Â
Â
